{"id":"OESA-2026-1220","summary":"nodejs security update","details":"Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\n\nA flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25.(CVE-2025-55130)\n\nNode.js has released security updates addressing multiple vulnerabilities affecting its active release lines (20.x, 22.x, 24.x, 25.x). Key issues include:\n1.  **CVE-2025-55131 (High)**: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted using the `vm` module with the `timeout` option. Buffers allocated with `Buffer.alloc` and other TypedArray instances like `Uint8Array` may contain leftover data, potentially leaking in-process secrets (tokens, passwords) or causing data corruption.\n2.  **CVE-2025-55130 (High)**: A flaw in Node.js's Permissions model allows attackers to bypass `\n3.  **CVE-2025-59465 (High)**: A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash due to an unhandled TLSSocket error, leading to a remote denial of service.\n4.  **CVE-2025-59466 (Medium)**: A bug in Node.js error handling makes "Maximum call stack size exceeded" errors uncatchable when `async_hooks.createHook()` is enabled, causing the process to terminate unrecoverably.\n5.  **CVE-2025-59464 (Medium)**: A memory leak in Node.js's OpenSSL integration occurs when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer during `socket.getPeerCertificate(true)`, allowing remote memory exhaustion.\n6.  **CVE-2026-21636 (Medium)**: A flaw in Node.js's permission model allows Unix Domain Socket connections to bypass network restrictions even without `\n7.  **CVE-2026-21637 (Medium)**: A flaw in Node.js TLS error handling allows synchronous exceptions thrown during `pskCallback` or `ALPNCallback` to bypass standard error handlers, causing process termination or file descriptor leaks.\n8.  **CVE-2025-55132 (Low)**: A flaw in Node.js's permission model allows file timestamps to be changed via `fs.futimes()` even with only read permissions, potentially obscuring activity in logs.(CVE-2025-55131)\n\nA flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25.(CVE-2025-55132)\n\nA malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on('secureConnection', socket => {\n  socket.on('error', err => {\n    console.log(err)\n  })\n})\n```(CVE-2025-59465)\n\nWe have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.(CVE-2025-59466)\n\nThis is a security vulnerability that has been assigned a CVE identifier (CVE-2026-21637). Currently, in the vulnerability information from SUSE, the title, description, and relief fields are empty, and the list of affected packages is also empty. This indicates that the detailed information of this vulnerability may still be under investigation, assignment, or in a reserved state, and specific technical details, scope of impact, and attack vectors have not been publicly disclosed. It is recommended to monitor official security advisories for subsequent updates.(CVE-2026-21637)","modified":"2026-03-11T07:15:16.261917Z","published":"2026-01-23T12:23:26Z","upstream":["CVE-2025-55130","CVE-2025-55131","CVE-2025-55132","CVE-2025-59465","CVE-2025-59466","CVE-2026-21637"],"database_specific":{"severity":"High"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1220"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55130"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55131"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55132"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59465"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59466"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21637"}],"affected":[{"package":{"name":"nodejs","ecosystem":"openEuler:24.03-LTS","purl":"pkg:rpm/openEuler/nodejs&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20.18.2-5.oe2403"}]}],"ecosystem_specific":{"x86_64":["nodejs-20.18.2-5.oe2403.x86_64.rpm","nodejs-debuginfo-20.18.2-5.oe2403.x86_64.rpm","nodejs-debugsource-20.18.2-5.oe2403.x86_64.rpm","nodejs-devel-20.18.2-5.oe2403.x86_64.rpm","nodejs-full-i18n-20.18.2-5.oe2403.x86_64.rpm","nodejs-libs-20.18.2-5.oe2403.x86_64.rpm","npm-10.8.2-1.20.18.2.5.oe2403.x86_64.rpm","v8-devel-11.3.244.8-1.20.18.2.5.oe2403.x86_64.rpm"],"noarch":["nodejs-docs-20.18.2-5.oe2403.noarch.rpm"],"aarch64":["nodejs-20.18.2-5.oe2403.aarch64.rpm","nodejs-debuginfo-20.18.2-5.oe2403.aarch64.rpm","nodejs-debugsource-20.18.2-5.oe2403.aarch64.rpm","nodejs-devel-20.18.2-5.oe2403.aarch64.rpm","nodejs-full-i18n-20.18.2-5.oe2403.aarch64.rpm","nodejs-libs-20.18.2-5.oe2403.aarch64.rpm","npm-10.8.2-1.20.18.2.5.oe2403.aarch64.rpm","v8-devel-11.3.244.8-1.20.18.2.5.oe2403.aarch64.rpm"],"src":["nodejs-20.18.2-5.oe2403.src.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2026-1220.json"}}],"schema_version":"1.7.5"}